Network traffic analysis for incident response

Firewalls and IDS/IPS

October 5, 2020 by Nitesh Malviya

Introduction

A typical corporate network makes use of a number of networking devices and mechanisms for preventing various attacks and maintaining the security of their network. Firewalls and IDS/IPS are some of the most important networking defenses in line to achieve this goal. In this article, we will be learning about them.

Firewall

A firewall is a network security device placed at the perimeter of the corporate network. This is done so all the packets entering the network first go through the firewall. 

The main function of the firewall is to screen all the packets entering, leaving and flowing in the network to prevent unauthorized access between two or more computers. A firewall scans all the packets and accordingly allows, denies or drops packets, depending upon the rules configured on it.

For example, a firewall may have rules configured to allow only HTTP packets. If a firewall receives ICMP packet, it simply drops the packet and does not allow it to be entered into the network.

Firewall types

Generally, there are two types of firewall available in use.

They are as follows:

  1. Network-based firewall: These firewalls function at network level. It takes care of all the packets coming in and going out of the network and filters traffic based on the rules configured on the firewall.
  2. Host-based firewall: Host-based firewalls are the ones which are installed on a personal computer/PC. Thus, this firewall takes care of filtering all the traffic for a single dedicated system — unlike network-based ones, which take care of the whole network. These are software-based firewalls, which usually come as a part of the operating system.

Firewall classification

A firewall is available in many forms. They are:

  1. Hardware firewall
  2. Software firewall
  3. Packet-filter firewall
  4. Proxy firewall
  5. Application gateways
  6. Circuit-level gateways
  7. Stateful packet inspection (SPI)

IDS

IDS stands for Intrusion Detection System. As the name suggests, it is used to detect and monitor traffic for illegitimate packets or suspicious activity and raises an alert when it comes across one. An IDS is usually software which scans a network and reports it to SIEM for further analysis so correct measures are taken.

IDS detection method

IDS implements two methods to detect anomaly in the packet in the network. They are:

  1. Signature-based detection: In signature-based detection, IDS detects malicious packets by observing the events and identifying patterns with the signatures of known attacks. If the signature matches then the alert is raised, else the packet is allowed in the network.
  2. Anomaly-based detection: In anomaly-based detection, packet filtering is based on a predefined set of rules or patterns rather than signatures/patterns. If the packet does not match the rules/patterns then the alert is raised and sent to SIEM.

IDS classification

IDSes can be classified into five types. 

  1. Network Intrusion Detection System (NIDS)
  2. Host Intrusion Detection System (HIDS)
  3. Protocol-based Intrusion Detection System (PIDS)
  4. Application Protocol-based Intrusion Detection System (APIDS)
  5. Hybrid Intrusion Detection System

IPS

IPS stands for Intrusion Detection and Prevention System. As the name suggests, it detects malicious packets, sends info to SIEM and blocks the packet. Unlike IDS, which just detects and reports the packet, IPS attempts to block the packets as well. Thus, IPS is a bit advanced and is more effective than IDS.

IPS detection method

IPS implements three methods to detect anomaly and block the packet in the network. They are:

  1. Signature-based detection: In signature-based detection, IPS detects malicious packets by observing the events and identifying patterns with the signatures of known attacks. If the signature matches, then the alert is raised and the packet is dropped. 
  2. Anomaly-based detection: In anomaly-based detection, packet filtering is based on a predefined set of rules or patterns rather than signatures/patterns. If the packet does not match the rules/patterns then the alert is raised, sent to SIEM and the packet is dropped.
  3. Stateful protocol analysis detection: In stateful protocol analysis detection, detection is based on divergence of protocol. Incoming packets are compared with the profile of accepted definitions and accordingly packet is dropped or allowed.

Firewall vs. IDS vs. IPS

Following is the general comparison between firewall, IDS and IPS.

Firewall IDS IPS
Filters incoming and outgoing traffic based on predefined rules Monitors traffic and raises alerts Monitors traffic, raises alerts and drops the packets
Filters traffic based on IP and port number Detects and raises alerts for malicious traffic Detects, raises alerts and blocks malicious traffic
Functions on layer 3 Functions on layer 2 Functions on layer 2
Placed at the perimeter of the network. Is the first line of defense Placed after firewall Placed after firewall
Does not analyze traffic patterns Analyses traffic patterns Analyses traffic patterns
Blocks malicious packets Raises alert for malicious packets Blocks malicious packets

 

Conclusion

This article provided an overview of firewall, IDS and IPS. It also stresses the importance and their role in protecting the corporate network. We saw why they should be part of every network and how they can provide active defense against malicious attacks from outside players.

 

Sources

  1. IDS vs. IPS: What is the Difference?, Varonis
  2. What Is a Firewall?, Cisco
  3. Introduction of Firewall in Computer Network, GeeksforGeeks
  4. Intrusion Detection System (IDS), GeeksforGeeks
  5. Intrusion Prevention System (IPS), GeeksforGeeks
Posted: October 5, 2020
Articles Author
Nitesh Malviya
View Profile

Nitesh Malviya is a Security Consultant. He has prior experience in Web Appsec, Mobile Appsec and VAPT. At present he works on IoT, Radio and Cloud Security and open to explore various domains of CyberSecurity. He can be reached on his personal blog – https://nitmalviya03.wordpress.com/ and Linkedin – https://www.linkedin.com/in/nitmalviya03/.